Tread Lightly with Threat Intel Add-Ons

Like leather upholstery for your new car, add-ons to your threat intelligence service are hard to resist. But Chris Camacho of Flashpoint* says “buyer beware:” threat intel add-ons may be more trouble than they’re worth.

If you’ve ever shopped for a new car, you’re likely familiar with the dizzying number of add-on features available—from custom paint jobs to built-in navigation systems. These features are enticing for an obvious reason: they enable you to customize your car to your preferences, and often at a reasonable price point.

Add-ons exist for more than just cars, of course. They’re increasingly available in the threat intelligence market, particularly with respect to datasets. Deep & Dark Web (DDW) data add-ons have grown especially prevalent in recent years, but as with any security-oriented product or service, these offerings aren’t suitable for everyone. Here are some key factors to consider before purchasing a DDW data add-on for your intelligence program:

Chris Camacho is a VP of Strategy at Flashpoint.

Add-on = automation

Regardless of the offering, a hallmark of
add-ons is once they are brought to market, vendors can usually continue to
offer them at scale without impeding operational efficiency or marginal
revenue. Car dealers are able to offer so many different add-ons because car
manufacturers can quickly and easily produce and supply them to meet demand,
for example.

This concept also characterizes DDW data add-ons, most of which employ automation in certain areas to boost efficiency and minimize manual effort for both the vendors and their customers. A common example is automated alerting features that notify users in near real-time when a preselected keyword—such as the name of a company, shareholder, or product, for example—is identified within an add-on dataset.

Buyer beware is the right approach to add-ons to threat intelligence services writes Flashpoint’s Chris Camacho in this industry perspective.

Data collection is another area where automation often comes into play. Fully automated data collection is common among add-ons and often praised for its efficiency, but this type of collection does have certain limitations. Specifically, automated collection is typically only possible for DDW data that exist within relatively accessible sources, such as some of the larger DDW marketplaces and lower-tier forums. Although these types of sources can and do support many intelligence operations, they represent only a fraction of the DDW communities in which adversaries operate, illicit activity occurs, and valuable data are present. Despite promising advancements in recent years, accessing and collecting data from various other types of DDW communities requires a caliber of human expertise that automation alone can’t yet mimic.

Closed sources such as invite-only forums, for
example, are largely inaccessible to all but the most sophisticated adversaries
and highly skilled analysts. Because many of these forums don’t operate in
English, gaining access requires extensive linguistic expertise. And in most
cases, fluency in certain languages isn’t enough. In order to earn the trust of
forum administrators who are responsible for vetting and granting access to new
members, analysts also need a keen grasp on the social and cultural nuances that
exist within these highly exclusive communities.

Until automation becomes capable of
replicating such skills, the many DDW data add-ons that employ fully automated
collection will likely be unable to provide visibility into closed or otherwise
highly exclusive sources.

Deriving
value from DDW data is a hands-on process

In addition to being relatively painless for vendors to offer at scale, threat intelligence add-ons are also promoted as self-sustaining utilities. For instance, if I purchased leather upholstery as an add-on with a new car, it would almost certainly bestow comfort and aesthetics for years and with very little, if any, maintenance required.

DDW data, unfortunately, does not provide that kind of self-sustaining utility. Collecting threat intelligence data that is valuable, relevant, and from an adequate breadth of sources requires substantial resources and human expertise. But so does deriving value from such data. Regardless of its source, DDW data must be thoroughly analyzed, contextualized, and processed into intelligence—and ideally, finished intelligence—before it is suitable for consumption. But in most cases, add-ons of DDW data contain little more than, well, data that has likely not been vetted for accuracy and relevance and may also likely lacks context.

As a result, intelligence practitioners
seeking to purchase DDW data add-ons should be prepared to invest time and
resources into analyzing and processing such data to make it suitable for
consumption. Some programs have the ample resources and expertise necessary to
operationalize and produce finished intelligence from massive quantities of
data with limited external support, but many do not.

DDW
data is not one size fits all

The new-car analogy embodies another
characteristic inherent to most add-ons: uniformity. If my neighbor buys the
same car with the same leather upholstery as me, for example, it should provide
him with the same level of comfort, aesthetics, and overall utility that it
provides me.

Uniformity also tends to underpin DDW data
add-ons because, as I mentioned, most are based on fully automated collection
strategies. As a result, these types of offerings typically contain similar
types of data from similar types of sources. But while the intelligence
practitioners who purchase these offerings usually do so for the same
reasons—to help satisfy their operations’ intelligence requirements (IRs)—it’s
crucial to remember that IRs and the types of data needed to satisfy them can
vary immensely across programs organizations, industries, and so on.

In other words, DDW data is not one size fits all—and neither are collection strategies. Keep in mind that your IRs lay the foundation and set the direction for the entirety of your intelligence operation, so it’s important to find a vendor that understands your IRs and, ideally, can tailor its collection strategy to them as necessary. Instead of relying solely on automation and taking a hands-off approach with customers, these vendors typically have agile and iterative collection capabilities, provide highly skilled and accessible customer support and specialize in DDW data and intelligence.

As someone who has spent much of his career striving to better understand the DDW and how to operationalize it, I realize how confusing this can all be. But rather than let the proliferation of DDW data add-ons and the myriad similar offerings exacerbate this confusion, we must remember that every successful intelligence operation starts with the right data. And while obtaining this data is rarely easy, the considerations outlined in this article should help you make a more informed decision about which DDW data offerings are suitable for your needs.